|
|
In the Network Topology tree, you must map some portion of your physical network topology from the outside to the inside, or downstream to upstream. To create this mapping, start from the most downstream point of the network segment that you want to control using Cisco Secure Policy Manager and continue defining upstream into the networks that you want to protect. This outside-to-inside perspective means that you start with the network connection to the outermost, downstream Policy Enforcement Point that you want to manage. Commonly, you construct your network to reflect your connection from the Internet node (the sea of information, to complete the downstream/upstream analogy) to your internal, upstream networks.
 |
Note While you typically have more than one outermost gateway object (one for each connection point to the Internet), we illustrate the basic concepts in this discussion using a single outermost gateway object. |
You must first consider the downstream network to which your outermost gateway object's downstream interface is attached. This downstream network always contains the default gateway to which the Policy Enforcement Point delivers all network packets that are destined downstream of this gateway object. In many cases, the default gateway is an IP address (or hop address) assigned to an upstream interface of a border/access router owned by your Internet service provider. However, you can manage only an internal segment of a larger network, and in such cases, the default gateway point maps to a router or other gateway object that you own. In either case, this outermost point represents the default gateway for the network objects that are members of the same perimeter, and this "gateway" is represented by an IP address and network definition assigned to the Internet node in the Network Topology tree.
Let's study a simple example. Figure 3-1 identifies a simple network topology:
When this network is mapped into the Network Topology tree, it will look something like Figure 3-2:
Figure 3-1 identifies seven key pieces that are mapped into the Network Topology tree as follows:
The answer to this question depends on what type of security policies you need to define, where your Policy Enforcement Points are positioned in your network, and where your Cisco Secure Policy Manager servers are positioned. The goal is to define all the network objects that Cisco Secure Policy Manager must know about and all the unique network objects for which you want to define a unique security policy. The key phrase is "you must adequately describe your physical network topology." This definition is required because Cisco Secure Policy Manager must know the location of the objects on your network with which it must interact and communicate.
The extent to which you define your network topology depends on what you want to do. If you intend to enforce a security policy directly on a network object (as opposed to indirectly by applying a security policy to a parent node, such as a network), you must define that network object and include it in the Security Policy Enforcement branch of the Network Policy tree, a task described later in this collection of topics.
However, some network objects are required. You must define the following network objects under the Network Topology tree:
While you do not have to define every network object that physically exists on your network, you must ensure that all network objects that encompass multiple child network objects (such as an internal network) are present. Basically, if you intend to define a special security policy for any network object directly (as opposed to indirectly by applying a more general security policy to a parent node, such as a network), you need to define it in the Network Topology tree. In addition, to actually define a unique policy for a network object, you must reference it in the Security Policy Enforcement branch of the Network Policy tree.
You do not define rules for the Policy Enforcement Points directly, instead you apply "policies" to the network objects against which you want those policies to be enforced. Cisco Secure Policy Manager generates the "rules" that these policies represent and distributes these device-specific rule sets to the individual Policy Enforcement Points. Therefore, if you are familiar with defining rules for a PIX Firewall or IOS Router, you can understand that if you want to define specific rules for specific network objects, you must define those network objects in the Network Topology tree, as well as any objects that those network objects are dependent on, such as a host's parent network.
The first task that you must perform after installing Cisco Secure Policy Manager is to define the basics of your network topology. This task involves identifying the network assets for which you want to define specific security policies, identifying the Policy Enforcement Points that can enforce/effect the security policies for these network assets, identifying the policy enablement hosts, and creating a network topology that represents these network objects in a manner that ensures that you can define and apply security policies to those network objects.
The checklist below outlines the steps required to understand the decision-making process and basic flow required to complete the definition of your Network Topology tree. Each step, described in the Step column, may contain several substeps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.
| Step | Reference | |||
|---|---|---|---|---|
| 1. Identify the required network objects on your network
| "Identifying Key Components in Your Network Topology" section | ||
| Result: You should have a completed worksheet that identifies the required network objects, their IP addresses, and the types of network servers that run on the policy enablement hosts. This worksheet is used to complete Step 2. |
| ||
| 2. Define the outermost gateway objects When you define your network topology, you must define it from downstream (from the Internet) to upstream (into your internal networks). The easiest method for defining gateway objects is to use the Topology Wizard. Using the Topology Wizard, you can discover the interface and device settings or specify them manually. You can access the Topology Wizard by clicking Topology Wizard on the Wizards menu. In addition, you can manually define any gateway object. The tasks referenced by this step are the tasks that explain how to manually define a gateway object. You must define the interface settings on the Internet node before you can define any other gateway objects. If you use the Topology Wizard, the interface settings for the Internet node are defined automatically based on the configuration information that you provide. One of the most important concepts within Result: The outermost networks and gateway devices are defined and the connections between those gateway devices and the Internet node, which represent connections to Internet service providers, are defined. | "Specifying the Interface Settings of the Internet Node" section "Creating an IOS Router Node" section "Specifying the Interface Settings for an IOS Router Node" section "Creating a PIX Firewall Node" section "Specifying the Interface Settings for a PIX Firewall Node" section "Defining a New Cloud Node" section | ||
| 3. Define network assets Network assets represent those network objects, such as specific networks and hosts, for which you want to define exceptional network policies. These network objects are the ones that were identified in Step 1, with the exception of the Result: The network assets that you identified in Step 1 are defined under the Network Topology tree. | "Creating a Network Node" section "Creating a Host Node" section "Specifying a Client/Server Product is Running on a Host Node" section | ||
| 4. Define Cisco Secure Policy Manager hosts The Primary Server node represents one of two server types that host the client/server products for Cisco Secure Policy Manager. The Primary Server node indicates that this host is running the Primary Policy Database, where all configuration information is stored and to which all GUI clients connect to view or edit the system configuration. This node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems include the Primary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point. The Secondary Server node indicates that this host is running a distributed installation feature set. Depending on what feature set you installed, this node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems can include the Secondary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point. | |||
|
Result: All Cisco Secure Policy Manager hosts are defined within your Network Topology. |
| ||
| 5. Define reachable networks When you define the remainder of your network topology, you should use Cloud nodes. In fact, you should define Cloud nodes for as much of your network as possible. Clouds provide a logical grouping of networks, and thereby, hosts residing on those networks, that are reachable via an upstream gateway. The Cloud node is a special gateway object that attaches cloud networks to fully defined networks. To attach the two types of networks, the Cloud node identifies the IP addresses, representing default gateways, attached to those interfaces residing on the fully defined networks (which are either upstream or downstream of the cloud). The Cloud node also has a special interface type called Cloud Networks, which organizes the cloud networks. In terms of the Cloud node, cloud networks exist within the cloud. However, in reality, they exist upstream from the default gateway specified on the downstream interface of the Cloud node. | "Defining a New Cloud Node" section | ||
| Cloud nodes organize those settings required to identify and route to networks that reside upstream from the gateway. Clouds are unique gateway objects because they do not require at least two real interfaces, as do Policy Enforcement Points. Instead, the Cloud node has at least one real interface (the downstream interface) and exactly one Cloud Networks interface (an upstream interface). When you specify an IP address associated with a non-cloud interface, you are specifying the default gateway through which the cloud networks organized under the Cloud Networks interface (and therefore, within the cloud) can be reached. Result: All internal networks that are reachable from other network objects within your network are defined within one or more Cloud nodes. |
|
The following worksheet identifies network objects and information that you must identify and define in the Network Topology tree.
| Network Object Type | Required Information | |||
|---|---|---|---|---|
| ISP Connections | IP Address used by your outermost gateways to reach the ISP connections | |||
|
| |||
|
| |||
| Valuable Network Assets | asset name | IP address or network address | associated network mask (if asset is a network) | |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
|
|
|
| |
| Policy Enforcement Points | IP addresses/per interface | associated network address | associated network mask | |
| Policy Enablement Hosts | hostname | IP address | client/server product type | |
| Reachable Networks | network name | network address | default gateway address for network | |
Posted: Sun Jun 4 16:59:57 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
